How to secure your osCommerce 2.2 site.

[spooks 77]

Contributions will have instructions contained within on install details, follow those.

 

If a contib don`t, then don`t use it.

 

Use of a compare tool will also help.

[mwiznitzer 0]

I had an error with AntiXSS as well. Just putting the function into general.php broke it, without the call in application_top.php. That makes no sense... how could an uncalled function cause the page to break?

[forensicit 0]

Any help for Windows installations? The .htaccess stuff does not work on the IIS server.

[php_Guy 0]

Any help for Windows installations? The .htaccess stuff does not work on the IIS server.

 

That is correct. It does not.

[php_Guy 0]

I had an error with AntiXSS as well. Just putting the function into general.php broke it, without the call in application_top.php. That makes no sense... how could an uncalled function cause the page to break?

 

If you get errors simply from adding a function, then you added the function into the middle of code or outside of the php tags. Double check the documentation and ensure that you are adding the function in the correct place.

[forensicit 0]

Any help for Windows installations? The .htaccess stuff does not work on the IIS server.

So what is the procedure for securing a site on a windows OS? Just use password protect?

[jailaxmi 0]

I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this?

 

Yeah, same thing here. I got myself banned, but I can still browse and shop all I want. My IP does not get logged, although I got the email saying it was banned. I have an .htaccess file, so I am no sure what the problem is. Any ideas out there? :blink:

 

Thanks,

 

Yol

[charinlasvegas 0]

Re: IP Trap

 

I just installed and am getting these errors:

 

Warning: fopen(http://www.bellafavori.com/banned/IP_Trapped.txt) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections in /home/bellafav/public_html/personal/index.php on line 25

 

Warning: flock() expects parameter 1 to be resource, boolean given in /home/bellafav/public_html/personal/index.php on line 26

 

Warning: Cannot modify header information - headers already sent by (output started at /home/bellafav/public_html/personal/index.php:25) in /home/bellafav/public_html/personal/index.php on line 41

 

 

Help?

[charinlasvegas 0]

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

[bobsi18 2]

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Thanks for the great post, am working through the list now. Two questions, in regards to the Anti XSS

- ) there are two (reasonably) different contributions under that link - which is the better/more effective one?

- ) how do I know it's working?!

 

Thanks :)

[FIMBLE 82]

Re: IP Trap

 

I just installed and am getting these errors:

 

Warning: fopen(http://www.bellafavori.com/banned/IP_Trapped.txt) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections in /home/bellafav/public_html/personal/index.php on line 25

 

Warning: flock() expects parameter 1 to be resource, boolean given in /home/bellafav/public_html/personal/index.php on line 26

 

Warning: Cannot modify header information - headers already sent by (output started at /home/bellafav/public_html/personal/index.php:25) in /home/bellafav/public_html/personal/index.php on line 41

 

 

Help?

 

This means that your banned / IP_Trapped.txt is not writable,

set the folder to 755 the file IP_Trapped.txt to 777

 

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

 

have you added the call in application_top.php?

 

If you are using the latest version then it should not be any problem as i rewrote it to be robust :-)

[whitehawk43 0]

If you are using the latest version then it should not be any problem as i rewrote it to be robust :-)

 

Fimble

 

was that taking care of when you did my install

 

Ben

[EricK 0]

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

 

Files changed:

catalog/includes/secret.php

catalog/personal/index.php

 

Regards,

Eric_K

[lowkey704 0]

Warning: file(DOCUMENT_ROOT/../banned/IP_Trapped.txt) [function.file]: failed to open stream: Permission denied in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 7

 

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 15

 

This is coming from the Application Top

 

I also wasn't getting banned... my IP never showed up... but then again maybe it all has to do with the error above... I disabled the application top code for now... any takers on this?

[rednme 0]

hi, I have applied most of the recommended addons without problems, except the last one : Anit cross site attack.

 

I added all 3 files in the contribution page.

after adding the contribution, I have the following error.(seems like from the first package)

 

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/... /catalog/includes/functions/general.php on line 33

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/.../catalog/includes/functions/general.php on line 39

 

 

general.php line 33 and 39 are as follows :

 

  
  $search .= '~`";:?+/={}[]-_|'\';  // this is #33
  for ($i = 0; $i < strlen($search); $i++) { 
     // ;? matches the ;, which is optional 
     // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 

     // @ @ search for the hex values 
     $val = preg_replace('/([x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // this is #39
     // @ @ 0{0,7} matches '0' zero to seven times 

 

 

is that line 33 correct? I wonder.

so, I tried with commenting out line 33, then it seemed working fine, except,

I couldn't add any products into shopping cart, and could not login as a customer.

all email address that I enter changed into some other character and says email and password don't match...

 

so, again I went to includes/application_top.php and commented out some from the addon lines :

removing top 2 lines made my site function normally.

 

// BOF : Remove XSS ATTACK
//		if (!empty($_POST)) array_walk_recursive($_POST, 'RemoveXSS');
//		if (!empty($_GET)) array_walk_recursive($_GET, 'RemoveXSS');
	if (!empty($_COOKIE)) array_walk_recursive($_COOKIE, 'RemoveXSS');
	if (!empty($_SERVER)) array_walk_recursive($_SERVER, 'RemoveXSS');
	if (!empty($_SESSION)) array_walk_recursive($_SESSION, 'RemoveXSS');
	if (!empty($_REQUEST)) array_walk_recursive($_REQUEST, 'RemoveXSS');
// EOF : Remove XSS ATTACK

 

can someone help ?

 

thanks to you all.

 

genesis

[rednme 0]

Warning: file(DOCUMENT_ROOT/../banned/IP_Trapped.txt) [function.file]: failed to open stream: Permission denied in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 7

 

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 15

 

This is coming from the Application Top

 

I also wasn't getting banned... my IP never showed up... but then again maybe it all has to do with the error above... I disabled the application top code for now... any takers on this?

 

try for DOCUMENT_ROOT portion with absolute path to the files like :

 

/var/www/vhosts/themancaveoutletstore.com/httpdocs/banned/IP_Trapped.txt

 

in

includes/secret.php

and

personal/index.php

 

and change permission to 777 or 666 for IP_Trapped.txt

 

genesis

[carricksupplies 0]

I have installed all the contributions except the Security Pro contribution, they seem to be working fine.

 

Does anyone know how I would go about setting up a cron job to automatically backup the database every 3 hours?

 

What would the code be to do this?

 

Thanks,

 

Martyn

[airbrushmaster 1]

hi just installed SiteMonitor_V_1.7 but in admin when i click the first button it says Reference file creation failed.

[airbrushmaster 1]

hi just installed SiteMonitor_V_1.7 but in admin when i click the first button it says Reference file creation failed.

 

 

its ok i have took it off instead

[Eim2 0]

Hello,

 

There is a little PROBLEM here: http://addons.oscommerce.com/info/6044

 

I've installed the latest Anti XSS+SQL Injection to help PCI Compliance by chrish123 added 19 Jul 2008.

 

When I click the <buy now> button on advanced_search_result.php the product is added to the customers basket

BUT I get redirected to the iplog.txt telling me I should go away ... which is no good at all.

 

When those lines are cut off .htaccess (commented) clicking the button gives no redirect:

 

This is the relevant part in .htaccess

# extra anti uri and xss attack script 2 - sql injection prevention
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (java script:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]

 

Should I keep only the pixclinic part of this contribution ?

Thanks for your kind advice,

David

[nomawhite 0]

Do you still need to do all these things if you have a SSL certificate setup? Thanks

[nomawhite 0]

I hate using this forum because no one ever replies

[spooks 77]

You have to be patient, we're providing free help, so you must wait till we have time.

 

The answer yes, the ssl only allows a secure connection, it does not 'secure' your site

 

The hackers are out there & if you don't protect the WILL get you.

 

I have a test site, for which there is no domain, its not published & without the IP you'll never find it, yet even that got attacked!!

[nomawhite 0]

You have to be patient, we're providing free help, so you must wait till we have time.

 

The answer yes, the ssl only allows a secure connection, it does not 'secure' your site

 

The hackers are out there & if you don't protect the WILL get you.

 

I have a test site, for which there is no domain, its not published & without the IP you'll never find it, yet even that got attacked!!

 

Thanks for your reply, I am paranoid about making my site more open to the public by launching it. I do appreciate the free help but I have to say more than half the time I post something I do not get a reply, not that its your fault of course.

[suffolk 0]

Hi,

I'm not sure if this is the place for this, but as it's a security related issue, I hoped someone may have some ideas.

 

I've been using the 'whosonline' contrib for some time now, and as a result, i've noticed an interesting connection to my site.

Basically, the 'customer' behaves like a 'bot, working it's way through the pages of the site 24 x 7, it doesn't have a session ID, or appear to go anywhere it shouldn't, however it's a permanent visitor to the site, with it's online time counter only resetting every 24 hrs, so at the least, it's a resource hog.

 

-Now the weird part (to me at least!)

It's IP keeps changing! It cycles through various sets of IP's ranging from Yahoo bot to private/ISP/Google addresses. I have tried banning the IP addresses it uses, but it simply 'morphs' to a new one (I gave up after 50 addresses, as many were inside address pools used by ISPs, and I didn't wish to ban legitimate users)- the next weird part is that whosonline doesn't see this as a new visitor, it keeps the online time, and entry time counters and updates the IP address.

 

Obviously there's some sort of spoofing going on here, the question is, how to stop it! - it only makes a database query every 30-40 seconds, so it's not tripping any DOS alarms on the server/firewall.

 

 

Has anyone else seen anything similar, or have any ideas about what this could be (and how to stop it)???